Closed
Bug 1676505
Opened 4 years ago
Closed 4 years ago
Assertion failure: !_owningThread || _owningThread->IsCurrentThread() (WeakPtr accessed from multiple threads), at /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:201
Categories
(Core :: Graphics: WebRender, defect, P3)
Core
Graphics: WebRender
Tracking
()
RESOLVED
FIXED
85 Branch
People
(Reporter: tsmith, Assigned: sotaro)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, crash, regression)
Attachments
(1 file)
The fuzzers have been hitting this a few times a day since 20200910-e995e42082ee.
It doesn't look like we are going to get a test case that reduces or even reproduces reliably. If this can be fixed without a test we should be confirm by watching fuzzer results.
Assertion failure: !_owningThread || _owningThread->IsCurrentThread() (WeakPtr accessed from multiple threads), at /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:201
#0 0x7f369cfa39d6 in mozilla::detail::WeakReference::detach() /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:201:5
#1 0x7f369fb604e8 in DetachWeakPtr /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:220:38
#2 0x7f369fb604e8 in ~SupportsWeakPtr /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:215:24
#3 0x7f369fb604e8 in mozilla::layers::WebRenderBridgeParent::~WebRenderBridgeParent() /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:387:50
#4 0x7f369fb6076c in ~WebRenderBridgeParent /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:387:49
#5 0x7f369fb6076c in non-virtual thunk to mozilla::layers::WebRenderBridgeParent::~WebRenderBridgeParent() /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp
#6 0x7f369fbe221b in Release /builds/worker/workspace/obj-build/dist/include/mozilla/layers/ISurfaceAllocator.h:70:3
#7 0x7f369fbe221b in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#8 0x7f369fbe221b in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#9 0x7f369fbe221b in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#10 0x7f369fbe221b in ~SceneBuiltNotification /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:214:7
#11 0x7f369fbe221b in mozilla::layers::SceneBuiltNotification::~SceneBuiltNotification() /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:214:7
#12 0x7f36ac61e3dd in webrender_api::NotificationRequest::notify::h004118327a611689 /gecko/gfx/wr/webrender_api/src/lib.rs:265:13
#13 0x7f36ac414184 in webrender::scene_builder_thread::SceneBuilderThread::process_transaction::_$u7b$$u7b$closure$u7d$$u7d$::hcf1bc247e86af920 /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:681:19
#14 0x7f36ac414184 in webrender::util::drain_filter::h53be619de90de538 /gecko/gfx/wr/webrender/src/util.rs:1109:13
#15 0x7f36ac414184 in webrender::scene_builder_thread::SceneBuilderThread::process_transaction::ha9eedb2f69a1d66d /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:678:9
#16 0x7f36ac43b86b in webrender::scene_builder_thread::SceneBuilderThread::run::_$u7b$$u7b$closure$u7d$$u7d$::hf65ac4dfa20e4b95 /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:308:36
#17 0x7f36ac43b86b in core::iter::adapters::map_fold::_$u7b$$u7b$closure$u7d$$u7d$::hc1ffba1cffd73a83 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/mod.rs:825:28
#18 0x7f36ac43b86b in core::iter::traits::iterator::Iterator::fold::h4060ce62029a0598 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:2004:21
#19 0x7f36ac43b86b in _$LT$core..iter..adapters..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::fold::hb281e9df14a6eba2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/mod.rs:865:9
#20 0x7f36ac43b86b in core::iter::traits::iterator::Iterator::for_each::haef3e2e131090990 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:651:9
#21 0x7f36ac43b86b in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h0a44d1e777d1b399 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec.rs:2165:17
#22 0x7f36ac43b86b in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$T$C$I$GT$$GT$::from_iter::h984725e71642a67d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec.rs:2145:9
#23 0x7f36ac43b86b in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::hf52ce282c83c3895 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec.rs:2020:9
#24 0x7f36ac43b86b in core::iter::traits::iterator::Iterator::collect::h91422b589b508c9c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:1653:9
#25 0x7f36ac43b86b in webrender::scene_builder_thread::SceneBuilderThread::run::h1f60817eed30753c /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:307:67
#26 0x7f36ac5e048e in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h4dbff591350e4eb9 /gecko/gfx/wr/webrender/src/renderer.rs:2718:13
#27 0x7f36ac5e048e in std::sys_common::backtrace::__rust_begin_short_backtrace::h0b6f9238b42dec94 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:137:18
#28 0x7f36ac5e0186 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h2a04895981fd0b9a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:458:17
#29 0x7f36ac5e0186 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h13237a556cac27a2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:308:9
#30 0x7f36ac5e0186 in std::panicking::try::do_call::hb1d9f068f71689cf /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:373:40
#31 0x7f36ac5e0186 in std::panicking::try::ha078232b92e7d0ce /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:337:19
#32 0x7f36ac5e0186 in std::panic::catch_unwind::h9959b39d6a7efa5e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:379:14
#33 0x7f36ac5e0186 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::he36cbc546827000e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:457:30
#34 0x7f36ac5e0186 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h5c102fa242fc8e9f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
#35 0x7f36aba51d74 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h670c50864ac2cb92 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/alloc/src/boxed.rs:1042:9
#36 0x7f36aba51d74 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h2511952749086d81 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/alloc/src/boxed.rs:1042:9
#37 0x7f36aba51d74 in std::sys::unix::thread::Thread::new::thread_start::h5ad4ddffe24373a8 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/sys/unix/thread.rs:87:17
#38 0x7f36b9ba0608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
#39 0x7f36b9769292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:201:5 in mozilla::detail::WeakReference::detach()
Thread T221 (WRScene~ilder#1) created by T53 (Renderer) here:
#0 0x55b8f82347fa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#1 0x7f36aba51ae7 in std::sys::unix::thread::Thread::new::h6b1597702d52a1af /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/sys/unix/thread.rs:66:19
Thread T53 (Renderer) created by T0 here:
#0 0x55b8f82347fa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#1 0x7f369e3117dc in CreateThread /gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7f369e3117dc in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
#3 0x7f369e3252bd in base::Thread::StartWithOptions(base::Thread::Options const&) /gecko/ipc/chromium/src/base/thread.cc:97:8
#4 0x7f36a024a22f in mozilla::wr::RenderThread::Start() /gecko/gfx/webrender_bindings/RenderThread.cpp:88:16
#5 0x7f369ffa19a9 in gfxPlatform::InitLayersIPC() /gecko/gfx/thebes/gfxPlatform.cpp:1348:7
#6 0x7f369ff9cede in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:988:3
#7 0x7f369ff9b46b in gfxPlatform::GetPlatform() /gecko/gfx/thebes/gfxPlatform.cpp:510:5
#8 0x7f36a50d7d4c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1780:25
#9 0x7f369d16b0f1 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f369f21a1b8 in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
#11 0x7f369f21a1b8 in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
#12 0x7f369f21a1b8 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
#13 0x7f369f22017b in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1467:12
#14 0x7f369f22017b in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
#15 0x7f36a90b36f4 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
#16 0x7f36a90b36f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
#17 0x7f36a90b5ace in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
#18 0x7f36a90b5e50 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
#19 0x7f36a90b77d8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:805:10
#20 0x7f36a963c3cc in CallGetter /gecko/js/src/vm/NativeObject.cpp:2382:12
#21 0x7f36a963c3cc in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2434:12
#22 0x7f36a963c3cc in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2579:14
#23 0x7f36a963c3cc in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2616:10
#24 0x7f36a909fbc9 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:117:10
#25 0x7f36a909fbc9 in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:455:10
#26 0x7f36a909fbc9 in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:569:10
#27 0x7f36a909fbc9 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3141:14
#28 0x7f36a907cf26 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:477:13
#29 0x7f36a90b38fc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
#30 0x7f36a90b5ace in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
#31 0x7f36a90b5e50 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
#32 0x7f36a9a408c0 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2767:10
#33 0x7f369f20ca09 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:970:17
#34 0x7f369d16ca40 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#35 0x7f369d16b7da in SharedStub (/home/worker/builds/m-c-20201110163510-fuzzing-asan-opt/libxul.so+0x47687da)
#36 0x7f369d0c7a4d in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:686:19
#37 0x7f36a8e65941 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:980:11
#38 0x7f36a8e464d7 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:4867:16
#39 0x7f36a8e4936b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5283:8
#40 0x7f36a8e49c73 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5339:21
#41 0x55b8f827cff5 in do_main /gecko/browser/app/nsBrowserApp.cpp:218:22
#42 0x55b8f827cff5 in main /gecko/browser/app/nsBrowserApp.cpp:336:16
|
||
Comment 1•4 years ago
|
||
Sotaro, it looks like you added the WebRenderBridgeParent WeakPtr in bug 1529027. It seems to be getting destroyed off the main thread now and is not necessarily thread safe?
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Comment 2•4 years ago
•
|
||
It seems to be related to Bug 1651053. When WebRenderBridgeParent supports ThreadSafeWeakPtr, it could be destroyed off compositor thread.
|
|
Assignee | |
Comment 3•4 years ago
|
||
(In reply to Sotaro Ikeda [:sotaro] from comment #2)
It seems to be related to Bug 1651053. When WebRenderBridgeParent supports ThreadSafeWeakPtr, it could be destroyed off compositor thread.
Ah, WebRenderBridgeParent could not supports ThreadSafeWeakPtr directly, since ThreadSafeWeakPtr does not work with MOZ_DECLARE_REFCOUNTED_TYPENAME(ISurfaceAllocator).
|
|
Assignee | |
Comment 4•4 years ago
|
||
|
|
Assignee | |
Comment 5•4 years ago
|
||
Flags: needinfo?(sotaro.ikeda.g)
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → sotaro.ikeda.g
|
|
Assignee | |
Comment 6•4 years ago
|
||
Pushed by sikeda.birchill@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d5ecbd2bae0f Add WebRenderBridgeParentRef instead of WebRenderBridgeParent's WeakPtr r=nical
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox85:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
|
||
Updated•4 years ago
|
|
||
Comment 9•3 years ago
|
||
The patch landed in nightly and beta is affected.
:sotaro, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(sotaro.ikeda.g)
|
||
Updated•3 years ago
|
Flags: needinfo?(sotaro.ikeda.g)
|
||
Updated•3 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•